CN106656463A - Fixed-secret-key symmetric white box password encryption method, device and equipment - Google Patents
Fixed-secret-key symmetric white box password encryption method, device and equipment Download PDFInfo
- Publication number
- CN106656463A CN106656463A CN201611107935.5A CN201611107935A CN106656463A CN 106656463 A CN106656463 A CN 106656463A CN 201611107935 A CN201611107935 A CN 201611107935A CN 106656463 A CN106656463 A CN 106656463A
- Authority
- CN
- China
- Prior art keywords
- message
- encryption
- terminal
- group
- authentication center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a fixed-secret-key symmetric white box password encryption method and device. The method comprises the steps: receiving an encryption message and an encryption serial number from a message transmitting terminal, wherein the encryption message is transmitted in a manner that a certification center enables a message to be transmitted by the message transmitting terminal to be grouped according to a message grouping scheme and an encryption secret key corresponding to each group, and each group is encrypted through a corresponding encryption secret key and is provided with an encryption serial number and then returns to the message transmitting terminal, and finally is transmitted by the message transmitting terminal; storing the received encrypted messages and the encryption serial numbers correspondingly; responding to a request for obtaining the message contents, and transmitting the stored encryption messages and the encryption serial numbers to the certification center; and receiving the decrypted message contents from the certification center. The method achieves the information safety under the condition that the operation and storage of the encryption data is taken as a white box.
Description
Technical field
The disclosure relates generally to field of computer technology, and in particular to information processing security fields, more particularly to a kind of close
Symmetrical whitepack cipher encrypting method and device that key is fixed.
Background technology
In data transfer and storage, for information security consideration, it usually needs to data encryption.Current encryption is main
It is assumed that the environment of encryption operation cannot be touched to the attacker of data, the environment of encryption data storage can not be controlled, so as to
Algorithm and key when cannot contact encryption.That is, the process of encryption and the storage of encryption data exists as a black box, nothing
Method is known by attacker.
However, in fact, in some cases, the attacker of data is the environment that can touch encryption operation, very
Extremely can obtain to data encryption, the control of encryption data storage environment.So, they are easy to by data encryption, encryption
Some intermediate data, environmental data in data storage environment etc. deduces AES and key etc. in the way of reverse engineering,
So as to attack data.Therefore, it is proposed to when attacker can be obtained to data encryption, the control of encryption data storage environment such as
What realizes the demand of information security, i.e., in the case where " whitepack " is regarded in the operation encryption data and the storage of encryption data as,
How information security is realized.
The content of the invention
In view of drawbacks described above of the prior art or deficiency, expect that providing one kind can obtain to encryption data in attacker
The scheme of information security is realized when operation, the control of storage environment, i.e., the operation and storage of encryption data is being regarded as " whitepack "
In the case of, realize the scheme of information security.
In a first aspect, the embodiment of the present application provides a kind of asymmetric whitepack cipher encrypting method, methods described includes:Connect
Encryption message, the encryption serial number that terminal is sent from message is received, wherein, encryption message is that message is sent terminal by authentication center
The message to be sent according to message packet scheme and with each corresponding encryption key of group, message is divided into into group and for each group
Obtained with encryption keys corresponding with the group and with distribution encryption serial number return to message send terminal, again by disappearing
Breath sends terminal forwarding;By the encryption message for receiving preservation corresponding with encryption serial number;In response to obtaining asking for message content
Ask, the encryption message and encryption serial number that correspondence is preserved is sent to authentication center, so that authentication center is to message receiving terminal
Identity be authenticated and after certification passes through, the message packet scheme that adopts during according to authentication center to message encryption and and each
The corresponding encryption key of group, to encrypting message decryption;From the message content that authentication center's receiving and deciphering is obtained.
Second aspect, the embodiment of the present application provides a kind of asymmetric whitepack cipher encrypting method, and methods described includes:Connect
Encryption message, the encryption serial number from message sink terminal is received, wherein, encryption message will send message transmission terminal
Message according to message packet scheme and with each corresponding encryption key of group, by message be divided into group and for each group with the group
Corresponding encryption keys are obtained and the encryption serial number with distribution returns to message transmission terminal, sends terminal by message
It is forwarded to message sink terminal, asks what is forwarded in acquisition message content by message sink terminal response;To message sink end
The identity at end is authenticated;If certification passes through, the message packet scheme that adopts during according to message encryption and right with each group
The encryption key answered, to encrypting message decryption;Send and decrypt the message content for obtaining to message sink terminal.
The third aspect, the embodiment of the present application provides the symmetrical whitepack cipher encrypting method that a kind of key is fixed, the side
Method includes:The message to be encrypted is sent to authentication center;If authentication center passes through to the authentication that message sends terminal, connect
What the receipts authentication center message to be encrypted according to message packet scheme is with each corresponding encryption keys of group was obtained adds
Close message and the encryption serial number of authentication center's distribution;Encryption message is sent to into message sink end together with encryption serial number
End.
Fourth aspect, the embodiment of the present application provides the symmetrical whitepack password encryption device that a kind of key is fixed, the dress
Put including:First receiving unit, is configured to receive encryption message, the encryption serial number that terminal is sent from message, wherein, plus
Close message is authentication center by message to be sent the terminal message to be sent according to message packet scheme and corresponding with each group adds
Key, is divided into message group and is obtained with encryption keys corresponding with the group for each group and with the encryption of distribution
Serial number return to message send terminal, again by message send terminal forwarding;First storage unit, is configured to reception
Encryption message is corresponding with encryption serial number to be preserved;First transmitting element, is configured to the request in response to obtaining message content, will
The encryption message and encryption serial number that correspondence is preserved is sent to authentication center, so as to identity of the authentication center to message receiving terminal
It is authenticated and after certification passes through, the message packet scheme that adopts during according to authentication center to message encryption and corresponding with each group
Encryption key, to encrypt message decryption;Second receiving unit, is configured in the message that obtains from authentication center's receiving and deciphering
Hold.
5th aspect, the embodiment of the present application provides the symmetrical whitepack password encryption device that a kind of key is fixed, the dress
Put including:3rd receiving unit, is configured to receive encryption message, the encryption serial number from message sink terminal, wherein, plus
Close message be by message send the terminal message to be sent according to message packet scheme and with each corresponding encryption key of group, general
Message is divided into group and is obtained with encryption keys corresponding with the group for each group and returned with the encryption serial number for distributing
Terminal is sent back to message, message sink terminal is forwarded to, is disappeared in acquisition by message sink terminal response by message transmission terminal
The request forwarding of breath content;First authentication unit, is configured to be authenticated the identity of message receiving terminal;Decryption is single
Unit, if be configured to certification passed through, the message packet scheme that adopts during according to message encryption and it is corresponding with each group plus
Key, to encrypting message decryption;Second transmitting element, is configured to send and decrypts the message content for obtaining to message sink end
End.
6th aspect, the embodiment of the present application provides the symmetrical whitepack password encryption device that a kind of key is fixed, the dress
Put including:5th transmitting element, is configured to send the message to be encrypted to authentication center;5th receiving unit, is configured to
If authentication center to message send terminal authentication pass through, receive authentication center according to message packet scheme and each
Encryption message and the encryption flowing water of authentication center's distribution that the message to be encrypted described in the corresponding encryption keys of group is obtained
Number;6th transmitting element, is configured to for encryption message to be sent to message sink terminal together with encryption serial number.
7th aspect, the embodiment of the present application provides a kind of equipment, including processor, memory and display;It is described to deposit
Reservoir is included can be by the instruction of the computing device so that the computing device:Receive and send adding for terminal from message
Close message, encryption serial number, wherein, encryption message is that message is sent the terminal message to be sent according to message point by authentication center
Prescription case and with each corresponding encryption key of group, message is divided into into group and for each group with encryption key corresponding with the group
Encryption obtain and with distribution encryption serial number return to message send terminal, again by message send terminal forwarding;To connect
The encryption message of receipts is corresponding with encryption serial number to be preserved;Request in response to obtaining message content, the encryption that correspondence is preserved is disappeared
Breath and encrypt serial number and be sent to authentication center, so that authentication center is authenticated and certification is logical to the identity of message receiving terminal
Later, the message packet scheme that adopts during according to authentication center to message encryption and with each corresponding encryption key of group, pair plus
Close message decryption;From the message content that authentication center's receiving and deciphering is obtained.
Eighth aspect, the embodiment of the present application provides a kind of equipment, including processor, memory and display;It is described to deposit
Reservoir is included can be by the instruction of the computing device so that the computing device:Receive adding from message sink terminal
Close message, encryption serial number, wherein, encryption message be message is sent into the terminal message to be sent according to message packet scheme and
With each corresponding encryption key of group, message is divided into into group and is obtained with encryption keys corresponding with the group for each group
And with distribution encryption serial number return to message send terminal, by message send terminal be forwarded to message sink terminal, by
Message sink terminal response is in the request forwarding for obtaining message content;The identity of message receiving terminal is authenticated;If
Certification passes through, the message packet scheme that adopts during according to message encryption and with each corresponding encryption key of group, encryption is disappeared
Breath decryption;Send and decrypt the message content for obtaining to message sink terminal.
9th aspect, the embodiment of the present application provides a kind of equipment, including processor, memory and display;It is described to deposit
Reservoir is included can be by the instruction of the computing device so that the computing device:To disappearing that authentication center's transmission to be encrypted
Breath;If authentication center passes through to the authentication that message sends terminal, reception authentication center is according to message packet scheme and often
Encryption message and the encryption stream of authentication center's distribution that the message to be encrypted described in individual group of corresponding encryption keys is obtained
Water number;Encryption message is sent to into message sink terminal together with encryption serial number.
In the embodiment of the present application, it is not preserve the encryption key for encrypting message in message sink terminal, or even message
Receiving terminal does not know encryption key yet, because encryption and decryption is carried out by authentication center.In message sink terminal storage is to receive
Encryption message and encryption serial number.So, even if attacker can be obtained to encryption data operation, the control of storage environment,
It cannot also decrypt encryption data.In addition, encryption message be not with single key encryption, but according to message packet scheme with
With each corresponding encryption key of group, message is divided into into group and for each group with encryption keys corresponding with the group.Such as
Even if this complicated encryption method also enables attacker to obtain to encryption data operation, the control of storage environment, it is also difficult to
Packet scheme and each encryption key are cracked out by reverse engineering, and then encryption message cannot be decrypted.And in message sink terminal
Can be the message after being decrypted when wondering the content of message.Now, message sink terminal will encrypt message and correspondence
Encryption serial number be sent to authentication center.After authentication center is authenticated to the identity of message receiving terminal and certification passes through,
The message packet scheme that adopts during according to authentication center to message encryption and with each corresponding encryption key of group, to encrypting message
Decryption, and return the encryption message after decryption to message sink terminal.Encryption and decryption is all carried out in authentication center.Even if attacker's energy
Enough to obtain to encryption data operation, the control of storage environment, it also only cannot carry out reverse engineering and crack with an encryption serial number
Encryption message.If attacker obtains encrypting serial number, asking the data after decryption to be also to authentication center can not possibly be successful,
Because certification of the authentication center to requestor's identity cannot be passed through.And message sink terminal can pass through certification, therefore, it is possible to
Ask the data after decryption.In this way, even if can obtain to encryption data operation, storage environment in attacker
In the case of control, remain to realize information security.
Description of the drawings
By reading the detailed description made to non-limiting example made with reference to the following drawings, the application other
Feature, objects and advantages will become more apparent upon:
Fig. 1 is shown in which the exemplary system architecture that can apply the embodiment of the present application;
Fig. 2 shows that the symmetrical whitepack of the key fixation in message sink end side according to the application one embodiment is close
The exemplary process diagram of code encryption method;
Fig. 3 shows that the symmetrical whitepack password fixed according to the key in authentication center side of the application one embodiment adds
The exemplary process diagram of decryption method;
Fig. 4 shows close according to the symmetrical whitepack fixed in the key of message transmission end side of the application one embodiment
The exemplary process diagram of code encryption method;
Fig. 5 shows that the symmetrical whitepack of the key fixation in message sink end side according to the application one embodiment is close
The exemplary block diagram of code encryption device;
Fig. 6 shows that the symmetrical whitepack password fixed according to the key in authentication center side of the application one embodiment adds
The exemplary block diagram of close device;
Fig. 7 shows close according to the symmetrical whitepack fixed in the key of message transmission end side of the application one embodiment
The exemplary block diagram of code encryption device;
Fig. 8 shows the structural representation of the computer system for being suitable to the message sink terminal for realizing the embodiment of the present application
Figure.
Fig. 9 shows the structural representation of the computer system for being suitable to the authentication center for realizing the embodiment of the present application.
Figure 10 shows that the structure for being suitable to the computer system that the message for realizing the embodiment of the present application sends terminal is shown
It is intended to.
Specific embodiment
The application is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining related invention, rather than the restriction to the invention.It also should be noted that, in order to
It is easy to description, the part related to invention is illustrate only in accompanying drawing.
It should be noted that in the case where not conflicting, the feature in embodiment and embodiment in the application can phase
Mutually combination.Below with reference to the accompanying drawings and in conjunction with the embodiments describing the application in detail.
Fig. 1 is refer to, it illustrates can apply the exemplary system architecture of the embodiment of the present application.
As shown in figure 1, system architecture can include that message sends terminal 102, authentication center 101, message sink terminal
103.Message sends terminal 102 and refers to the terminal for sending message.Message sink terminal 103 refers to the terminal for receiving message.Terminal can be with
Refer to the hardware of an entity, such as mobile unit, mobile phone, it is also possible to refer to an element inside hardware, the such as ECU in vehicle.
Authentication center 101 refers to that the identity of the terminal to sending, receiving message is authenticated, message is carried out the center of encryption and decryption.It can
To be located at server side, such as on Cloud Server, it is also possible to which used as a part for hardware, such as the ECU identity in vehicle is recognized
In the case of card, it can be located on vehicle as a part for vehicle.
As mentioned in the background art, current encryption is main assumes that the attacker of data cannot be touched encryption operation
Environment, the environment of encryption data storage can not be controlled, the algorithm and key when cannot also contact encryption.That is, the mistake of encryption
The storage of journey and encryption data exists as a black box, it is impossible to known by attacker.However, in fact, in certain situation
Under, the attacker of data is can to touch the environment of encryption operation, or even can obtain data encryption, encryption data are deposited
The control of storage environment.So, they are easy to by some intermediate data, the ring in data encryption, encryption data storage environment
Border data etc. deduce AES and key etc. in the way of reverse engineering, so as to attack data.Therefore, it is proposed in attacker
The demand to how to realize information security when encryption data operation, the control of encryption data storage environment can be obtained, i.e., in handle
In the case that " whitepack " is regarded in the operation of encryption data and the storage of encryption data as, how information security is realized.
In the embodiment of the present application, it is not preserve the encryption key for encrypting message in message sink terminal, or even message
Receiving terminal does not know encryption key yet, because encryption and decryption is carried out by authentication center.In message sink terminal storage is to receive
Encryption message and encryption serial number.So, even if attacker can be obtained to encryption data operation, the control of storage environment,
It cannot also decrypt encryption data.In addition, encryption message be not with single key encryption, but according to message packet scheme with
With each corresponding encryption key of group, message is divided into into group and for each group with encryption keys corresponding with the group.Such as
Even if this complicated encryption method also enables attacker to obtain to encryption data operation, the control of storage environment, it is also difficult to
Packet scheme and each encryption key are cracked out by reverse engineering, and then encryption message cannot be decrypted.And in message sink terminal
Can be the message after being decrypted when wondering the content of message.Now, message sink terminal will encrypt message and correspondence
Encryption serial number be sent to authentication center.After authentication center is authenticated to the identity of message receiving terminal and certification passes through,
The message packet scheme that adopts during according to authentication center to message encryption and with each corresponding encryption key of group, to encrypting message
Decryption, and return the encryption message after decryption to message sink terminal.Encryption and decryption is all carried out in authentication center.Even if attacker's energy
Enough to obtain to encryption data operation, the control of storage environment, it also only cannot carry out reverse engineering and crack with an encryption serial number
Encryption message.If attacker obtains encrypting serial number, asking the data after decryption to be also to authentication center can not possibly be successful,
Because certification of the authentication center to requestor's identity cannot be passed through.And message sink terminal can pass through certification, therefore, it is possible to
Ask the data after decryption.In this way, even if can obtain to encryption data operation, storage environment in attacker
In the case of control, remain to realize information security.
With reference to Fig. 2, the symmetrical whitepack cipher encrypting method fixed according to the key of the application one embodiment is it illustrates
Exemplary process diagram.Method shown in Fig. 2 can be in FIG message sink terminal 103 perform.The concept of " whitepack " is upper
Describe in text." symmetrical " encryption refers to the encryption technology completed with same key using encryption and decryption.
As shown in Fig. 2 in step 210, encryption message, the encryption serial number that terminal is sent from message is received.
Encryption message be authentication center by message send the terminal message to be sent according to message packet scheme and and each
The corresponding encryption key of group, is divided into message group and is obtained and adjoint with encryption keys corresponding with the group for each group
Distribution encryption serial number return to message send terminal, again by message send terminal be dealt into authentication center decryption.
Message sends terminal and wants to send message, it is necessary to encrypt first.In the embodiment of the present application, encryption is by authentication center
Carry out, to ensure information security.Message sends terminal and to send the message to be encrypted to authentication center.Authentication center first has to
The certification message sends the identity of terminal, and certification could encrypt message after passing through.Certification message sends the identity of terminal and can adopt
Take active inquiry message send terminal mark method, because if allow message send terminal to report oneself mark, one
Undelegated message sends terminal and may know that another message for having authorized sends the mark of terminal and another is awarded by this
The message of power sends the mark of the terminal mark of oneself that disguises oneself as and reports authentication center, " gets by under false pretences " in this way,
By certification.Therefore, authentication center wants active inquiry message to send the mark of terminal.In general, terminal is sent according to message
With the communication protocol of authentication center, when message is sent to authentication center, message sends the mark of terminal is message transmission terminal
Certain specific fields of the message of transmission are automatically loaded according to communication protocol, this field can not be changed artificially, be exclusively used in table
The identity of bright sender of the message.Therefore, authentication center can obtain message and send the message exchanged between terminal and authentication center
In specific fields in message send terminal iidentification.Mark in the field can not be tampered, therefore, in this way,
The mark that message sends terminal has been inquired exactly.Then, the message is sent into terminal iidentification with authorization terminal identity column
Table is compared.The terminal iidentification that the sender as message can be trusted all is registered in advance the mandate end of authentication center
In the identification list of end.If the message sends terminal iidentification in authorization terminal identification list, certification passes through.If this disappears
Breath sends terminal iidentification not in authorization terminal identification list, then authentification failure.
If authentication center to message send terminal authentication pass through, authentication center generate message packet scheme and
Each corresponding encryption key of group and encryption serial number.Message packet scheme is i.e. in order to give message encryption how by message point
Groups of scheme.For example, specify in message packet scheme 1, message is divided into into three groups:Group A1, organizes B1, organizes C2.Disappearing
Specify in breath packet scheme 2, by message according to size 2:1:1 ratio is divided into three groups:Group A2, organizes B2, organizes C2.Generate message
Packet scheme can be taken and specify some message packet schemes in advance, and the mode of is then randomly assigned wherein.For example, thing
First regulation has 10 message packet schemes:Message packet scheme 1, message packet scheme 2 ..., message packet scheme 10.When need
When generating message packet scheme, a message packet scheme is therefrom randomly assigned.Also may be used with each corresponding encryption key of group
Using one encryption key set of regulation in advance, the mode of is then randomly assigned wherein.For example, in encryption key set
There are 100 keys (its 100 key of correspondence) in conjunction.What is be generally noted above message is divided equally A1, group B1, the message of group C2 in groups
In packet scheme 1, for group A1 is randomly assigned an encryption key k1 in 100 keys, for group A2 is in 100 keys
An encryption key k2 is randomly assigned, for group A3 is randomly assigned an encryption key k3 in 100 keys.Encryption serial number
It is to represent that current encryption is different from the sequence number of other encryption.Authentication center often encrypts once, just one encryption serial number of distribution.
In general, the encryption serial number per sub-distribution is different.So, just can be according to the encryption for receiving in subsequent decryption
Serial number find it is unique to message encryption when the message packet scheme that adopts and with each corresponding encryption key of group, disappear to encrypting
Breath decryption.
Authentication center generates message packet scheme and each corresponding encryption key of group and encrypts after serial number, according to
The message packet scheme of generation and each corresponding encryption key of group, the message to be encrypted described in encryption obtains encrypting message.
Then, authentication center sends encryption message and encryption serial number sends terminal to message.Message sends terminal and will encrypt message company
Message sink terminal is sent to encryption serial number.
For example, it is assumed that generate message packet scheme be message packet scheme 1, will message divide equally in groups A1, group B1, group
C2, is k1 with 1 corresponding encryption key of group, is k2 with 2 corresponding encryption keys of group, is k3 with 3 corresponding encryption keys of group.Recognize
The message that card center first will encrypt is divided into 3 groups, is combined after being encrypted with k1, k2, k3 respectively together with encryption serial number
It is sent to message and sends terminal, then terminal is sent by message and is sent to message sink terminal.
In a step 220, by the encryption message for receiving preservation corresponding with encryption serial number.
In the embodiment of the present application, it is not preserve the encryption key for encrypting message in message sink terminal, or even message
Receiving terminal does not know encryption key yet, because decryption is carried out by authentication center.In message sink terminal storage is to receive
Encryption message and encryption serial number.So, even if attacker can be obtained to encryption data operation, the control of storage environment, its
Also encryption data cannot be decrypted.In addition, encryption message is encrypted with single key, but authentication center sends message eventually
End the message to be sent according to message packet scheme and with each corresponding encryption key of group, message is divided into into group and for each
Group is obtained with encryption keys corresponding with the group.Even if so complicated encryption method also enables attacker to obtain
To encryption data operation, the control of storage environment, it is also difficult to crack out packet scheme and each encryption key by reverse engineering, enter
And encryption message cannot be decrypted.
In step 230, in response to the request of acquisition message content, by the encryption message of correspondence preservation and encryption serial number
Authentication center is sent to, so that authentication center is authenticated and after certification passes through to the identity of message receiving terminal, according to certification
The message packet scheme that adopts when center is to message encryption and with each corresponding encryption key of group, to encrypting message decryption.
As it was previously stated, for the sake of information security, message is encryption storage in message sink terminal all the time.Connect in message
Terminal is received when wondering the content of message, in response to obtain message content request (can come from message sink exterior of terminal,
Can come from a certain module of message sink terminal inner), encryption message and corresponding encryption serial number are sent in certification
The heart.Then, authentication center is authenticated to the identity of message receiving terminal.The identity of certification message sink terminal can take master
The method of the mark of dynamic query messages receiving terminal, because if allowing the message sink terminal to report mark of oneself, one is not awarded
The message sink terminal (possibly attacker) of power may know that the mark of another message sink terminal for having authorized and should
The mark of the message sink terminal that another the has been authorized mark of oneself that disguises oneself as reports authentication center, in this way
" getting by under false pretences ", by certification.Therefore, authentication center wants the mark of active inquiry message sink terminal.In general, according to disappearing
The communication protocol of breath receiving terminal and authentication center, message sink terminal when message is sent to authentication center, message sink end
The mark at end is certain specific fields of the message that transmission is automatically loaded according to communication protocol, and this field can not be repaiied artificially
Change, be exclusively used in showing the identity with authentication center correspondent.Therefore, authentication center can be obtained in message sink terminal and certification
The message sink terminal iidentification in specific fields in the message exchanged between the heart.Mark in the field can not be tampered, because
This, in this way, has inquired exactly the mark of message sink terminal.Then, by the message sink terminal iidentification with
Authorization terminal identification list is compared.The terminal iidentification for securely communicating can be trusted all to be registered in advance in certification
In the identification list of authorization terminal of the heart.If the message sink terminal iidentification is in authorization terminal identification list, certification
Pass through.If the message sink terminal iidentification is not in authorization terminal identification list, authentification failure.
Authentication center is after message packet scheme and each corresponding encryption key of group and encryption serial number is generated
The message packet scheme that will additionally generate accordingly is preserved with each corresponding encryption key of group and encryption serial number.This
Sample, after authentication center is authenticated to the identity of message receiving terminal and certification passes through, according to the corresponding record, it is possible to look into
Find message packet scheme corresponding with the encryption serial number for receiving, encryption key.Authentication center is according to the message for finding
Packet scheme and encryption key corresponding with each group are to encrypting message decryption.
Due to decrypt key component all carry out in authentication center, even if attacker can obtain to encryption data operation,
The control of storage environment, it also only cannot carry out reverse engineering and crack encryption message with an encryption serial number.If attacker obtains
To encryption serial number, asking the data after decryption to be also to authentication center can not possibly be successful, because authentication center cannot be passed through
Certification to requestor's identity.And message sink terminal can by certification, therefore, it is possible to ask decryption after data.It is logical
This mode is crossed, even if in the case where attacker can be obtained to encryption data operation, the control of storage environment, remaining to realize
Information security.
In step 240, the message content for obtaining from authentication center's receiving and deciphering.
With reference to Fig. 3, the symmetrical whitepack cipher encrypting method fixed according to the key of the application one embodiment is it illustrates
Exemplary process diagram.Method shown in Fig. 3 can be in FIG authentication center 101 perform.The concept of " whitepack " is hereinbefore
Describe." symmetrical " encryption refers to the encryption technology completed with same fixed key using encryption and decryption.
As shown in figure 3, in the step 310, encryption message, the encryption serial number from message sink terminal is received.
Encryption message be authentication center by message send the terminal message to be sent according to message packet scheme and and each
The corresponding encryption key of group, is divided into message group and is obtained and adjoint with encryption keys corresponding with the group for each group
The encryption serial number of distribution returns to message and sends terminal, is forwarded to message sink terminal, connect by message by message transmission terminal
Receive terminal response and be dealt into authentication center in the request for obtaining message content.
In fact, before step 310, methods described also includes:Receive from message send terminal to be encrypted disappear
Breath;The identity that message sends terminal is authenticated;If certification passes through, message packet scheme is generated corresponding with each group
Encryption key and encryption serial number;According to the message packet scheme and each corresponding encryption key of group that generate, institute is encrypted
The message to be encrypted is stated, obtains encrypting message;Send encryption message and encryption serial number sends terminal to message.
Message sends terminal and wants to send message, it is necessary to encrypt first.In the embodiment of the present application, encryption is by authentication center
Carry out, to ensure information security.Message sends terminal and to send the message to be encrypted to authentication center.Authentication center first has to
The certification message sends the identity of terminal, and certification could encrypt message after passing through.Certification message sends the identity of terminal and can adopt
Take active inquiry message send terminal mark method, because if allow message send terminal to report oneself mark, one
Undelegated message sends terminal and may know that another message for having authorized sends the mark of terminal and another is awarded by this
The message of power sends the mark of the terminal mark of oneself that disguises oneself as and reports authentication center, " gets by under false pretences " in this way,
By certification.Therefore, authentication center wants active inquiry message to send the mark of terminal.In general, terminal is sent according to message
With the communication protocol of authentication center, when message is sent to authentication center, message sends the mark of terminal is message transmission terminal
Certain specific fields of the message of transmission are automatically loaded according to communication protocol, this field can not be changed artificially, be exclusively used in table
The identity of bright sender of the message.Therefore, authentication center can obtain message and send the message exchanged between terminal and authentication center
In specific fields in message send terminal iidentification.Mark in the field can not be tampered, therefore, in this way,
The mark that message sends terminal has been inquired exactly.Then, the message is sent into terminal iidentification with authorization terminal identity column
Table is compared.The terminal iidentification that the sender as message can be trusted all is registered in advance the mandate end of authentication center
In the identification list of end.If the message sends terminal iidentification in authorization terminal identification list, certification passes through.If this disappears
Breath sends terminal iidentification not in authorization terminal identification list, then authentification failure.
If authentication center to message send terminal authentication pass through, authentication center generate message packet scheme and
Each corresponding encryption key of group and encryption serial number.Message packet scheme is i.e. in order to give message encryption how by message point
Groups of scheme.For example, specify in message packet scheme 1, message is divided into into three groups:Group A1, organizes B1, organizes C2.Disappearing
Specify in breath packet scheme 2, by message according to size 2:1:1 ratio is divided into three groups:Group A2, organizes B2, organizes C2.Generate message
Packet scheme can be taken and specify some message packet schemes in advance, and the mode of is then randomly assigned wherein.For example, thing
First regulation has 10 message packet schemes:Message packet scheme 1, message packet scheme 2 ..., message packet scheme 10.When need
When generating message packet scheme, a message packet scheme is therefrom randomly assigned.Also may be used with each corresponding encryption key of group
Using one encryption key set of regulation in advance, the mode of is then randomly assigned wherein.For example, in encryption key set
There are 100 keys (its 100 key of correspondence) in conjunction.What is be generally noted above message is divided equally A1, group B1, the message of group C2 in groups
In packet scheme 1, for group A1 is randomly assigned an encryption key k1 in 100 keys, for group A2 is in 100 keys
An encryption key k2 is randomly assigned, for group A3 is randomly assigned an encryption key k3 in 100 keys.Encryption serial number
It is to represent that current encryption is different from the sequence number of other encryption.Authentication center often encrypts once, just one encryption serial number of distribution.
In general, the encryption serial number per sub-distribution is different.So, just can be according to the encryption for receiving in subsequent decryption
Serial number find it is unique to message encryption when the message packet scheme that adopts and with each corresponding encryption key of group, disappear to encrypting
Breath decryption.
Authentication center generates message packet scheme and each corresponding encryption key of group and encrypts after serial number, according to
The message packet scheme of generation and each corresponding encryption key of group, the message to be encrypted described in encryption obtains encrypting message.
For example, it is assumed that generate message packet scheme be message packet scheme 1, will message divide equally in groups A1, group B1, group C2, with group 1
Corresponding encryption key is k1, is k2 with 2 corresponding encryption keys of group, is k3 with 3 corresponding encryption keys of group.Elder generation of authentication center
The message that will be encrypted is divided into 3 groups, respectively with being combined after k1, k2, k3 encryption, obtains encrypting message.
Then, authentication center sends encryption message and encryption serial number sends terminal to message.Message sends terminal will be added
Close message is sent to message sink terminal together with encryption serial number.
Then, message sink terminal by receive encryption message with encryption serial number it is corresponding preservation.
In the embodiment of the present application, it is not preserve the encryption key for encrypting message in message sink terminal, or even message
Receiving terminal does not know encryption key yet, because decryption is carried out by authentication center.In message sink terminal storage is to receive
Encryption message and encryption serial number.So, even if attacker can be obtained to encryption data operation, the control of storage environment, its
Also encryption data cannot be decrypted.In addition, encryption message is encrypted with single key, but authentication center sends message eventually
End the message to be sent according to message packet scheme and with each corresponding encryption key of group, message is divided into into group and for each
Group is obtained with encryption keys corresponding with the group.Even if so complicated encryption method also enables attacker to obtain
To encryption data operation, the control of storage environment, it is also difficult to crack out packet scheme and each encryption key by reverse engineering, enter
And encryption message cannot be decrypted.
Then, the encryption message for preserving correspondence in response to the request of acquisition message content, message sink terminal and encryption
Serial number is sent to authentication center.
In step 320, the identity of message receiving terminal is authenticated.
The identity of certification message sink terminal can take the initiative query messages receiving terminal mark method because such as
Fruit allows the message sink terminal to report mark of oneself, a undelegated message sink terminal (possibly attacker) may know that
The mark of the message sink terminal that another has been authorized and the mark of another message sink terminal for having authorized is disguised oneself as
The mark of oneself reports authentication center, " gets by under false pretences " in this way, by certification.Therefore, authentication center will be actively
The mark of query messages receiving terminal.In general, according to message sink terminal and the communication protocol of authentication center, message sink
When message is sent to authentication center, the mark of message sink terminal is the message that transmission is automatically loaded according to communication protocol to terminal
Certain specific fields, this field can not be changed artificially, be exclusively used in showing the identity with authentication center correspondent.Therefore,
Authentication center can obtain the message sink in the specific fields in the message exchanged between message sink terminal and authentication center
Terminal iidentification.Mark in the field can not be tampered, therefore, in this way, message sink end has been inquired exactly
The mark at end.Then, the message sink terminal iidentification is compared with authorization terminal identification list.Can be trusted is carried out
The terminal iidentification of secure communication is all registered in advance in the identification list of authorization terminal of authentication center.If the message sink end
In authorization terminal identification list, then certification passes through end mark.If the message sink terminal iidentification is not in authorization terminal
In identification list, then authentification failure.
The message packet scheme and encryption corresponding with each group adopted when in a step 330, according to message encryption is close
Key, to encrypting message decryption.
Authentication center is after message packet scheme and each corresponding encryption key of group and encryption serial number is generated
The message packet scheme that will additionally generate accordingly is preserved with each corresponding encryption key of group and encryption serial number.This
Sample, after authentication center is authenticated to the identity of message receiving terminal and certification passes through, according to the corresponding record, it is possible to look into
Find message packet scheme corresponding with the encryption serial number for receiving, encryption key.Authentication center is according to the message for finding
Packet scheme and encryption key corresponding with each group are to encrypting message decryption.
In step 340, send and decrypt the message content for obtaining to message sink terminal.
Because the key component decrypted all is carried out in authentication center, even if attacker can be obtained in message sink terminal
Place's encryption data operation, the control of storage environment, it also only cannot carry out reverse engineering and crack encryption to disappear with an encryption serial number
Breath.If attacker obtains encrypting serial number, asking the data after decryption to be also to authentication center can not possibly be successful, because nothing
Method passes through certification of the authentication center to requestor's identity.And message sink terminal can be by certification, therefore, it is possible to ask
Data after decryption.In this way, even if can obtain to encryption data operation, the control of storage environment in attacker
In the case of, remain to realize information security.
In one embodiment, methods described also includes:If authentification failure, to message sink terminal authentification failure is sent
Message.
With reference to Fig. 4, the symmetrical whitepack cipher encrypting method fixed according to the key of the application one embodiment is it illustrates
Exemplary process diagram.Method shown in Fig. 4 can be in FIG message send terminal 102 perform.The concept of " whitepack " is upper
Describe in text." symmetrical " encryption refers to the encryption technology completed with same fixed key using encryption and decryption.
As shown in figure 3, in the step 310, the message to be encrypted is sent to authentication center.
Message sends terminal and wants to send message, it is necessary to encrypt first.In the embodiment of the present application, encryption is by authentication center
Carry out, to ensure information security.Message sends terminal and to send the message to be encrypted to authentication center.
In step 320, if authentication center to message send terminal authentication pass through, receive authentication center according to
Encryption message and recognize that message packet scheme is obtained with each message to be encrypted described in the corresponding encryption keys of group
The encryption serial number of card center distribution.
Authentication center first has to the identity of certification message transmission terminal, and certification could encrypt message after passing through.Certification disappears
Breath send the identity of terminal can take the initiative query messages send terminal mark method, because if allowing message to send eventually
End reports the mark of oneself, a undelegated message to send terminal and may know that another message for having authorized sends terminal
Mark and message for having authorized this another send the mark of the terminal mark of oneself that disguises oneself as and report authentication center, pass through
This mode " getting by under false pretences ", by certification.Therefore, authentication center wants active inquiry message to send the mark of terminal.It is general next
Say, send the communication protocol of terminal and authentication center according to message, message sends terminal when message is sent to authentication center, disappears
Breath sends certain specific fields that the mark of terminal is the message that transmission is automatically loaded according to communication protocol, and this field can not
Artificial modification, is exclusively used in showing the identity of sender of the message.Therefore, authentication center can obtain message and send in terminal and certification
The message in specific fields in the message exchanged between the heart sends terminal iidentification.Mark in the field can not be tampered, because
This, in this way, has inquired exactly the mark that message sends terminal.Then, by the message send terminal iidentification with
Authorization terminal identification list is compared.The terminal iidentification that the sender as message can be trusted all is registered in recognizes in advance
In the identification list of authorization terminal at card center.If the message sends terminal iidentification in authorization terminal identification list,
Certification passes through.If the message sends terminal iidentification not in authorization terminal identification list, authentification failure.
If authentication center to message send terminal authentication pass through, authentication center generate message packet scheme and
Each corresponding encryption key of group and encryption serial number.Message packet scheme is i.e. in order to give message encryption how by message point
Groups of scheme.For example, specify in message packet scheme 1, message is divided into into three groups:Group A1, organizes B1, organizes C2.Disappearing
Specify in breath packet scheme 2, by message according to size 2:1:1 ratio is divided into three groups:Group A2, organizes B2, organizes C2.Generate message
Packet scheme can be taken and specify some message packet schemes in advance, and the mode of is then randomly assigned wherein.For example, thing
First regulation has 10 message packet schemes:Message packet scheme 1, message packet scheme 2 ..., message packet scheme 10.When need
When generating message packet scheme, a message packet scheme is therefrom randomly assigned.Also may be used with each corresponding encryption key of group
Using one encryption key set of regulation in advance, the mode of is then randomly assigned wherein.For example, in encryption key set
There are 100 keys (its 100 key of correspondence) in conjunction.What is be generally noted above message is divided equally A1, group B1, the message of group C2 in groups
In packet scheme 1, for group A1 is randomly assigned an encryption key k1 in 100 keys, for group A2 is in 100 keys
An encryption key k2 is randomly assigned, for group A3 is randomly assigned an encryption key k3 in 100 keys.Encryption serial number
It is to represent that current encryption is different from the sequence number of other encryption.Authentication center often encrypts once, just one encryption serial number of distribution.
In general, the encryption serial number per sub-distribution is different.So, just can be according to the encryption for receiving in subsequent decryption
Serial number find it is unique to message encryption when the message packet scheme that adopts and with each corresponding encryption key of group, disappear to encrypting
Breath decryption.
Authentication center generates message packet scheme and each corresponding encryption key of group and encrypts after serial number, according to
The message packet scheme of generation and each corresponding encryption key of group, the message to be encrypted described in encryption obtains encrypting message.
For example, it is assumed that generate message packet scheme be message packet scheme 1, will message divide equally in groups A1, group B1, group C2, with group 1
Corresponding encryption key is k1, is k2 with 2 corresponding encryption keys of group, is k3 with 3 corresponding encryption keys of group.Elder generation of authentication center
The message that will be encrypted is divided into 3 groups, respectively with being combined after k1, k2, k3 encryption, obtains encrypting message.
Then, authentication center sends encryption message and encryption serial number sends terminal to message.
In step 430, encryption message is sent to into message sink terminal together with encryption serial number.
Then, message sink terminal by receive encryption message with encryption serial number it is corresponding preservation.
In the embodiment of the present application, it is not preserve the encryption key for encrypting message in message sink terminal, or even message
Receiving terminal does not know encryption key yet, because decryption is carried out by authentication center.In message sink terminal storage is to receive
Encryption message and encryption serial number.So, even if attacker can be obtained to encryption data operation, the control of storage environment, its
Also encryption data cannot be decrypted.In addition, encryption message is encrypted with single key, but authentication center sends message eventually
End the message to be sent according to message packet scheme and with each corresponding encryption key of group, message is divided into into group and for each
Group is obtained with encryption keys corresponding with the group.Even if so complicated encryption method also enables attacker to obtain
To encryption data operation, the control of storage environment, it is also difficult to crack out packet scheme and each encryption key by reverse engineering, enter
And encryption message cannot be decrypted.
Then, the encryption message for preserving correspondence in response to the request of acquisition message content, message sink terminal and encryption
Serial number is sent to authentication center.Authentication center is authenticated to the identity of message receiving terminal.
The identity of certification message sink terminal can take the initiative query messages receiving terminal mark method because such as
Fruit allows the message sink terminal to report mark of oneself, a undelegated message sink terminal (possibly attacker) may know that
The mark of the message sink terminal that another has been authorized and the mark of another message sink terminal for having authorized is disguised oneself as
The mark of oneself reports authentication center, " gets by under false pretences " in this way, by certification.Therefore, authentication center will be actively
The mark of query messages receiving terminal.In general, according to message sink terminal and the communication protocol of authentication center, message sink
When message is sent to authentication center, the mark of message sink terminal is the message that transmission is automatically loaded according to communication protocol to terminal
Certain specific fields, this field can not be changed artificially, be exclusively used in showing the identity with authentication center correspondent.Therefore,
Authentication center can obtain the message sink in the specific fields in the message exchanged between message sink terminal and authentication center
Terminal iidentification.Mark in the field can not be tampered, therefore, in this way, message sink end has been inquired exactly
The mark at end.Then, the message sink terminal iidentification is compared with authorization terminal identification list.Can be trusted is carried out
The terminal iidentification of secure communication is all registered in advance in the identification list of authorization terminal of authentication center.If the message sink end
In authorization terminal identification list, then certification passes through end mark.If the message sink terminal iidentification is not in authorization terminal
In identification list, then authentification failure.
Then, the message packet scheme that adopts and encryption corresponding with each group are close when authentication center is according to message encryption
Key, to encrypting message decryption.
Authentication center is after message packet scheme and each corresponding encryption key of group and encryption serial number is generated
The message packet scheme that will additionally generate accordingly is preserved with each corresponding encryption key of group and encryption serial number.This
Sample, after authentication center is authenticated to the identity of message receiving terminal and certification passes through, according to the corresponding record, it is possible to look into
Find message packet scheme corresponding with the encryption serial number for receiving, encryption key.Authentication center is according to the message for finding
Packet scheme and encryption key corresponding with each group are to encrypting message decryption.
Then, authentication center sends and decrypts the message content for obtaining to message sink terminal.
Because the key component decrypted all is carried out in authentication center, even if attacker can be obtained in message sink terminal
Place's encryption data operation, the control of storage environment, it also only cannot carry out reverse engineering and crack encryption to disappear with an encryption serial number
Breath.If attacker obtains encrypting serial number, asking the data after decryption to be also to authentication center can not possibly be successful, because nothing
Method passes through certification of the authentication center to requestor's identity.And message sink terminal can be by certification, therefore, it is possible to ask
Data after decryption.In this way, even if can obtain to encryption data operation, the control of storage environment in attacker
In the case of, remain to realize information security.
Although it should be noted that describe the operation of the inventive method with particular order in the accompanying drawings, this is not required that
Or hint must perform these operations according to the particular order, or the operation having to carry out shown in whole could realize the phase
The result of prestige.Conversely, the step of describing in flow chart can change execution sequence.Additionally or alternatively, it is convenient to omit some
Multiple steps are merged into a step and are performed by step, and/or a step is decomposed into into execution of multiple steps.
With further reference to Fig. 5, it illustrates the symmetrical whitepack password fixed according to the key of the application one embodiment and add
The exemplary block diagram of close device 500.
As shown in figure 5, the asymmetric whitepack password encryption device 500 includes:First receiving unit 510, is configured to
Encryption message, the encryption serial number that terminal is sent from message is received, wherein, encryption message is that authentication center sends message eventually
End the message to be sent according to message packet scheme and with each corresponding encryption key of group, message is divided into into group and for each
Group obtained with encryption keys corresponding with the group and with distribution encryption serial number return to message send terminal, again by
Message sends terminal forwarding;First storage unit 520, is configured to the encryption message guarantor corresponding with encryption serial number that will be received
Deposit;First transmitting element 530, be configured in response to obtain message content request, by correspondence preserve encryption message and plus
Close serial number is sent to authentication center, so that authentication center is authenticated and after certification passes through to the identity of message receiving terminal,
The message packet scheme that adopts during according to authentication center to message encryption and with each corresponding encryption key of group, to encrypting message
Decryption;Second receiving unit 540, is configured to the message content obtained from authentication center's receiving and deciphering.
Alternatively, it is by obtaining message sink terminal and recognizing that authentication center is authenticated to the identity of message receiving terminal
Between card center exchange message in specific fields in message sink terminal iidentification, and by the message sink terminal iidentification with
Authorization terminal identification list compares what is carried out.
Alternatively, if the message sink terminal iidentification is in authorization terminal identification list, certification passes through.
With further reference to Fig. 6, it illustrates the symmetrical whitepack password fixed according to the key of the application one embodiment and add
The exemplary block diagram of close device 600.
As shown in fig. 6, the asymmetric whitepack password encryption device 600 includes:3rd receiving unit 610, is configured to
Encryption message, the encryption serial number from message sink terminal is received, wherein, encryption message is to send message transmission terminal
Message according to message packet scheme and with each corresponding encryption key of group, by message be divided into group and for each group with this
The corresponding encryption keys of group are obtained and the encryption serial number with distribution returns to message transmission terminal, sent eventually by message
End is forwarded to message sink terminal, asks what is forwarded in acquisition message content by message sink terminal response;First certification list
Unit 620, is configured to be authenticated the identity of message receiving terminal;Decryption unit 630, if be configured to certification passed through,
The message packet scheme that adopts during according to message encryption and with each corresponding encryption key of group, to encrypting message decryption;The
Two transmitting elements 640, are configured to send and decrypt the message content for obtaining to message sink terminal.
Alternatively, described device 600 also includes:3rd transmitting element, if being configured to authentification failure, to message sink
Terminal sends authentification failure message.
Alternatively, described device 600 also includes:4th receiving unit, is configured to receive from message transmission terminal
The message to be encrypted;Second authentication unit, is configured to be authenticated the identity that message sends terminal;First signal generating unit,
If being configured to certification to pass through, message packet scheme is generated with each corresponding encryption key of group and encryption serial number;
Ciphering unit, be configured to according to generate message packet scheme and each corresponding encryption key of group, encrypt described in encrypt
Message, obtain encrypt message;4th transmitting element, is configured to send encryption message and encryption serial number sends eventually to message
End;
Alternatively, described device 600 also includes:Second storage unit, be configured to will generate message packet scheme and
Each corresponding encryption key of group and encryption serial number are accordingly preserved.
Alternatively, first authentication unit 620 is further configured to:Obtain message sink terminal and authentication center it
Between exchange message in specific fields in message sink terminal iidentification;By the message sink terminal iidentification and authorization terminal
Identification list is compared.
Alternatively, second authentication unit is further configured to:Obtain message to send between terminal and authentication center
Message in specific fields in the message of exchange sends terminal iidentification;The message is sent into terminal iidentification with authorization terminal mark
Know list to compare.
With further reference to Fig. 7, it illustrates the symmetrical whitepack password fixed according to the key of the application one embodiment and add
The exemplary block diagram of close device 700.
As shown in fig. 7, the asymmetric whitepack password encryption device 700 includes:5th transmitting element 710, is configured to
The message to be encrypted is sent to authentication center;5th receiving unit 720, if be configured to authentication center sends terminal to message
Authentication pass through, receive authentication center according to message packet scheme is with each corresponding encryption keys of group want
Encryption message and the encryption serial number of authentication center's distribution that the message of encryption is obtained;6th transmitting element 730, configuration is used
Message sink terminal is sent in message will be encrypted together with encryption serial number.
It should be appreciated that the systems or unit described in Fig. 5-7 and each step referred in the method that Fig. 2-Fig. 4 is described
It is rapid corresponding.Thus, the operation and feature above with respect to method description is equally applicable to Fig. 5-7 and the unit for wherein including,
This is repeated no more.
Below with reference to Fig. 8, the department of computer science for being suitable to the message sink terminal for realizing the embodiment of the present application is it illustrates
The structural representation of system 800.
As shown in figure 8, computer system 800 includes CPU (CPU) 801, it can be read-only according to being stored in
Program in memory (ROM) 802 or be loaded into program in random access storage device (RAM) 803 from storage part 808 and
Perform various appropriate actions and process.In RAM 803, the system that is also stored with 800 operates required various programs and data.
CPU 801, ROM 802 and RAM 803 are connected with each other by bus 804.Input/output (I/O) interface 805 is also connected to always
Line 804.
I/O interfaces 805 are connected to lower component:Including the importation 806 of keyboard, mouse etc.;Penetrate including such as negative electrode
The output par, c 807 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage part 808 including hard disk etc.;
And the communications portion 809 of the NIC including LAN card, modem etc..Communications portion 809 via such as because
The network of spy's net performs communication process.Driver 810 is also according to needing to be connected to I/O interfaces 805.Detachable media 811, such as
Disk, CD, magneto-optic disk, semiconductor memory etc., as needed on driver 810, in order to read from it
Computer program be mounted into as needed storage part 808.
Below with reference to Fig. 9, the computer system 900 for being suitable to the authentication center for realizing the embodiment of the present application is it illustrates
Structural representation.
As shown in figure 9, computer system 900 includes CPU (CPU) 901, it can be read-only according to being stored in
Program in memory (ROM) 902 or be loaded into program in random access storage device (RAM) 903 from storage part 908 and
Perform various appropriate actions and process.In RAM 903, the system that is also stored with 900 operates required various programs and data.
CPU 901, ROM 902 and RAM 903 are connected with each other by bus 904.Input/output (I/O) interface 905 is also connected to always
Line 904.
I/O interfaces 905 are connected to lower component:Including the importation 906 of keyboard, mouse etc.;Penetrate including such as negative electrode
The output par, c 907 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage part 908 including hard disk etc.;
And the communications portion 909 of the NIC including LAN card, modem etc..Communications portion 909 via such as because
The network of spy's net performs communication process.Driver 910 is also according to needing to be connected to I/O interfaces 905.Detachable media 911, such as
Disk, CD, magneto-optic disk, semiconductor memory etc., as needed on driver 910, in order to read from it
Computer program be mounted into as needed storage part 908.
Below with reference to Figure 10, the department of computer science for being suitable to the message sink terminal for realizing the embodiment of the present application is it illustrates
The structural representation of system 1000.
As shown in Figure 10, computer system 1000 includes CPU (CPU) 1001, and it can be according to being stored in only
Read the program in memory (ROM) 1002 or be loaded in random access storage device (RAM) 1003 from storage part 1008
Program and perform various appropriate actions and process.In RAM 1003, the system that is also stored with 1000 operates required various journeys
Sequence and data.CPU 1001, ROM 1002 and RAM 1003 are connected with each other by bus 1004.Input/output (I/O) interface
1005 are also connected to bus 1004.
I/O interfaces 1005 are connected to lower component:Including the importation 1006 of keyboard, mouse etc.;Including such as negative electrode
The output par, c 1007 of ray tube (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage part including hard disk etc.
1008;And the communications portion 1009 of the NIC including LAN card, modem etc..The Jing of communications portion 1009
Communication process is performed by the network of such as internet.Driver 1010 is also according to needing to be connected to I/O interfaces 1005.It is detachable to be situated between
Matter 1011, such as disk, CD, magneto-optic disk, semiconductor memory etc., as needed on driver 1010, so as to
Storage part 1008 is mounted into as needed in the computer program for reading from it.
Especially, in accordance with an embodiment of the present disclosure, may be implemented as computer above with reference to the process of Fig. 2-Fig. 4 descriptions
Software program.For example, embodiment of the disclosure includes a kind of computer program, and it includes being tangibly embodied in machine readable
Computer program on medium, program code of the computer program comprising the method for being used to perform Fig. 2-Fig. 4.Such
In embodiment, the computer program can be downloaded and installed by communications portion 809,909,1009 from network, and/or from
Detachable media 811,911,1011 is mounted.
Flow chart and block diagram in accompanying drawing, it is illustrated that according to the system of various embodiments of the invention, method and computer journey
The architectural framework in the cards of sequence product, function and operation.At this point, each square frame in flow chart or block diagram can generation
A part for table one module, program segment or code a, part for the module, program segment or code includes one or more
For realizing the executable instruction of the logic function of regulation.It should also be noted that in some realizations as replacement, institute in square frame
The function of mark can also be with different from the order marked in accompanying drawing generation.For example, the two square frame reality for succeedingly representing
On can perform substantially in parallel, they can also be performed in the opposite order sometimes, and this is depending on involved function.Also
It is noted that the combination of block diagram and/or each square frame in flow chart and block diagram and/or the square frame in flow chart, Ke Yiyong
Perform the function of regulation or the special hardware based system of operation to realize, or can be referred to computer with specialized hardware
The combination of order is realizing.
Being described in unit involved in the embodiment of the present application or module can be realized by way of software, it is also possible to
Realized by way of hardware.Described unit or module can also be arranged within a processor.These units or module
Title does not constitute under certain conditions the restriction to the unit or module itself.
As on the other hand, present invention also provides a kind of computer-readable recording medium, the computer-readable storage medium
Matter can be the computer-readable recording medium described in above-described embodiment included in device;Can also be individualism, not
The computer-readable recording medium being fitted in equipment.Computer-readable recording medium storage has one or more than one journey
Sequence, described program is used for performing the formula input method for being described in the application by one or more than one processor.
Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.People in the art
Member should be appreciated that invention scope involved in the application, however it is not limited to the technology of the particular combination of above-mentioned technical characteristic
Scheme, while also should cover in the case of without departing from the inventive concept, is carried out by above-mentioned technical characteristic or its equivalent feature
Other technical schemes for being combined and being formed.Such as features described above has similar work(with (but not limited to) disclosed herein
The technical scheme that the technical characteristic of energy is replaced mutually and formed.
Claims (23)
1. the symmetrical whitepack cipher encrypting method that a kind of key is fixed, it is characterised in that methods described includes:
Encryption message, the encryption serial number that terminal is sent from message is received, wherein, encryption message is that authentication center sends out message
Make arrangements for his funeral end the message to be sent according to message packet scheme and with each corresponding encryption key of group, message is divided into into group and is directed to
Each group obtained with encryption keys corresponding with the group and with distribution encryption serial number return to message send terminal,
Again terminal forwarding is sent by message;
By the encryption message for receiving preservation corresponding with encryption serial number;
Request in response to obtaining message content, the encryption message that correspondence is preserved and encryption serial number are sent to authentication center,
So that authentication center is authenticated and after certification passes through to the identity of message receiving terminal, during according to authentication center to message encryption
Using message packet scheme and with each corresponding encryption key of group, to encrypt message decryption;
From the message content that authentication center's receiving and deciphering is obtained.
2. method according to claim 1, it is characterised in that authentication center is authenticated to the identity of message receiving terminal
It is the message sink terminal mark in the specific fields in the message by exchanging between acquisition message sink terminal and authentication center
Know, and the message sink terminal iidentification is compared into what is carried out with authorization terminal identification list.
3. method according to claim 2, it is characterised in that if the message sink terminal iidentification is in authorization terminal mark
In knowing list, then certification passes through.
4. the symmetrical whitepack cipher encrypting method that a kind of key is fixed, it is characterised in that methods described includes:
Encryption message, the encryption serial number from message sink terminal is received, wherein, encryption message is that message is sent into terminal to want
The message of transmission according to message packet scheme and with each corresponding encryption key of group, by message be divided into group and for each group use
Encryption keys corresponding with the group are obtained and the encryption serial number with distribution returns to message transmission terminal, sent out by message
Make arrangements for his funeral to hold and be forwarded to message sink terminal, ask what is forwarded in acquisition message content by message sink terminal response;
The identity of message receiving terminal is authenticated;
If certification passes through, the message packet scheme that adopts during according to message encryption and with each corresponding encryption key of group,
To encrypting message decryption;
Send and decrypt the message content for obtaining to message sink terminal.
5. method according to claim 4, it is characterised in that methods described also includes:
If authentification failure, to message sink terminal authentification failure message is sent.
6. method according to claim 4, it is characterised in that methods described is receiving the encryption from message sink terminal
Also include before message, encryption serial number:
Receive the message to be encrypted that terminal is sent from message;
The identity that message sends terminal is authenticated;
If certification passes through, message packet scheme is generated with each corresponding encryption key of group and encryption serial number;
According to the message packet scheme and each corresponding encryption key of group that generate, the message to be encrypted described in encryption, added
Close message;
Send encryption message and encryption serial number sends terminal to message.
7. method according to claim 6, it is characterised in that methods described is generating message packet scheme and each group
Also include after corresponding encryption key and encryption serial number:
The message packet scheme of generation is accordingly preserved with each corresponding encryption key of group and encryption serial number.
8. method according to claim 4, it is characterised in that the identity to message receiving terminal is authenticated bag
Include:
Obtain the message sink terminal iidentification in the specific fields in the message exchanged between message sink terminal and authentication center;
The message sink terminal iidentification is compared with authorization terminal identification list.
9. method according to claim 6, it is characterised in that described that bag is authenticated to the identity that message sends terminal
Include:
Obtain the message transmission terminal iidentification that message is sent in the specific fields in the message exchanged between terminal and authentication center;
The message is sent into terminal iidentification to compare with authorization terminal identification list.
10. the symmetrical whitepack cipher encrypting method that a kind of key is fixed, it is characterised in that methods described includes:
The message to be encrypted is sent to authentication center;
If authentication center passes through to the authentication that message sends terminal, receive authentication center according to message packet scheme and
Encryption message and the encryption of authentication center's distribution that each message to be encrypted described in the corresponding encryption keys of group is obtained
Serial number;
Encryption message is sent to into message sink terminal together with encryption serial number.
The symmetrical whitepack password encryption device that a kind of 11. keys are fixed, it is characterised in that described device includes:
First receiving unit, is configured to receive encryption message, the encryption serial number that terminal is sent from message, wherein, encryption
Message be authentication center by message send the terminal message to be sent according to message packet scheme and with each corresponding encryption of group
Key, is divided into message group and is obtained with encryption keys corresponding with the group for each group and with the encryption stream of distribution
Water number return to message send terminal, again by message send terminal forwarding;
First storage unit, is configured to the encryption message preservation corresponding with encryption serial number that will be received;
First transmitting element, is configured to the request in response to obtaining message content, by the encryption message of correspondence preservation and encryption
Serial number is sent to authentication center, so that authentication center is authenticated and after certification passes through to the identity of message receiving terminal, root
The message packet scheme that adopts during according to authentication center to message encryption and with each corresponding encryption key of group, to encrypting message solution
It is close;
Second receiving unit, is configured to the message content obtained from authentication center's receiving and deciphering.
12. devices according to claim 11, it is characterised in that authentication center is recognized the identity of message receiving terminal
Card is the message sink terminal in the specific fields in the message by exchanging between acquisition message sink terminal and authentication center
Mark, and the message sink terminal iidentification is compared into what is carried out with authorization terminal identification list.
13. devices according to claim 12, it is characterised in that if the message sink terminal iidentification is in authorization terminal
In identification list, then certification passes through.
The symmetrical whitepack password encryption device that a kind of 14. keys are fixed, it is characterised in that described device includes:
3rd receiving unit, is configured to receive encryption message, the encryption serial number from message sink terminal, wherein, encryption
Message be by message send the terminal message to be sent according to message packet scheme and with each corresponding encryption key of group, will disappear
Breath is divided into group and is obtained with encryption keys corresponding with the group for each group and with the encryption serial number return of distribution
To message send terminal, by message send terminal be forwarded to message sink terminal, by message sink terminal response in obtain message
The request forwarding of content;
First authentication unit, is configured to be authenticated the identity of message receiving terminal;
Decryption unit, if be configured to certification passed through, the message packet scheme that adopts during according to message encryption and and each
The corresponding encryption key of group, to encrypting message decryption;
Second transmitting element, is configured to send and decrypts the message content for obtaining to message sink terminal.
15. devices according to claim 14, it is characterised in that described device also includes:
3rd transmitting element, if being configured to authentification failure, to message sink terminal authentification failure message is sent.
16. devices according to claim 14, it is characterised in that described device also includes:
4th receiving unit, is configured to receive the message to be encrypted that terminal is sent from message;
Second authentication unit, is configured to be authenticated the identity that message sends terminal;
First signal generating unit, if be configured to certification passed through, generates message packet scheme encryption corresponding with each group close
Key and encryption serial number;
Ciphering unit, is configured to according to the message packet scheme and each corresponding encryption key of group for generating, and encryption is described will
The message of encryption, obtains encrypting message;
4th transmitting element, is configured to send encryption message and encryption serial number sends terminal to message.
17. devices according to claim 16, it is characterised in that described device also includes:
Second storage unit, is configured to message packet scheme and each corresponding encryption key of group and the encryption that will be generated
Serial number is accordingly preserved.
18. devices according to claim 14, it is characterised in that first authentication unit is further configured to:
Obtain the message sink terminal iidentification in the specific fields in the message exchanged between message sink terminal and authentication center;
The message sink terminal iidentification is compared with authorization terminal identification list.
19. devices according to claim 16, it is characterised in that second authentication unit is further configured to:
Obtain the message transmission terminal iidentification that message is sent in the specific fields in the message exchanged between terminal and authentication center;
The message is sent into terminal iidentification to compare with authorization terminal identification list.
The symmetrical whitepack password encryption device that a kind of 20. keys are fixed, it is characterised in that described device includes:
5th transmitting element, is configured to send the message to be encrypted to authentication center;
5th receiving unit, if be configured to authentication center passed through to the authentication that message sends terminal, in receiving certification
Encryption message that the heart message to be encrypted according to message packet scheme is with each corresponding encryption keys of group is obtained,
And the encryption serial number of authentication center's distribution;
6th transmitting element, is configured to for encryption message to be sent to message sink terminal together with encryption serial number.
A kind of 21. equipment, including processor, memory and display;It is characterized in that:
The memory is included can be by the instruction of the computing device so that the computing device:
Encryption message, the encryption serial number that terminal is sent from message is received, wherein, encryption message is that authentication center sends out message
Make arrangements for his funeral end the message to be sent according to message packet scheme and with each corresponding encryption key of group, message is divided into into group and is directed to
Each group obtained with encryption keys corresponding with the group and with distribution encryption serial number return to message send terminal,
Again terminal forwarding is sent by message;
By the encryption message for receiving preservation corresponding with encryption serial number;
Request in response to obtaining message content, the encryption message that correspondence is preserved and encryption serial number are sent to authentication center,
So that authentication center is authenticated and after certification passes through to the identity of message receiving terminal, during according to authentication center to message encryption
Using message packet scheme and with each corresponding encryption key of group, to encrypt message decryption;
From the message content that authentication center's receiving and deciphering is obtained.
A kind of 22. equipment, including processor, memory and display;It is characterized in that:
The memory is included can be by the instruction of the computing device so that the computing device:
Encryption message, the encryption serial number from message sink terminal is received, wherein, encryption message is that message is sent into terminal to want
The message of transmission according to message packet scheme and with each corresponding encryption key of group, by message be divided into group and for each group use
Encryption keys corresponding with the group are obtained and the encryption serial number with distribution returns to message transmission terminal, sent out by message
Make arrangements for his funeral to hold and be forwarded to message sink terminal, ask what is forwarded in acquisition message content by message sink terminal response;
The identity of message receiving terminal is authenticated;
If certification passes through, the message packet scheme that adopts during according to message encryption and with each corresponding encryption key of group,
To encrypting message decryption;
Send and decrypt the message content for obtaining to message sink terminal.
A kind of 23. equipment, including processor, memory and display;It is characterized in that:
The memory is included can be by the instruction of the computing device so that the computing device:
The message to be encrypted is sent to authentication center;
If authentication center passes through to the authentication that message sends terminal, receive authentication center according to message packet scheme and
Encryption message and the encryption of authentication center's distribution that each message to be encrypted described in the corresponding encryption keys of group is obtained
Serial number;
Encryption message is sent to into message sink terminal together with encryption serial number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611107935.5A CN106656463A (en) | 2016-12-06 | 2016-12-06 | Fixed-secret-key symmetric white box password encryption method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611107935.5A CN106656463A (en) | 2016-12-06 | 2016-12-06 | Fixed-secret-key symmetric white box password encryption method, device and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106656463A true CN106656463A (en) | 2017-05-10 |
Family
ID=58818750
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611107935.5A Pending CN106656463A (en) | 2016-12-06 | 2016-12-06 | Fixed-secret-key symmetric white box password encryption method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106656463A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107276741A (en) * | 2017-06-06 | 2017-10-20 | 北京洋浦伟业科技发展有限公司 | Air state concealed-enciphering guard method and device |
| CN107809313A (en) * | 2017-10-31 | 2018-03-16 | 北京三未信安科技发展有限公司 | A kind of whitepack crypto-operation method and system |
| US11502817B2 (en) | 2020-02-12 | 2022-11-15 | Wipro Limited | Enhanced data security system and method thereof |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050182735A1 (en) * | 2004-02-12 | 2005-08-18 | Zager Robert P. | Method and apparatus for implementing a micropayment system to control e-mail spam |
| CN101902664A (en) * | 2009-05-26 | 2010-12-01 | 中兴通讯股份有限公司 | Method and system for improving encryption/decryption speed of passive optical network |
| CN103716157A (en) * | 2013-12-13 | 2014-04-09 | 厦门市美亚柏科信息股份有限公司 | Grouped multiple-key encryption method and grouped multiple-key encryption device |
| CN104410616A (en) * | 2014-11-20 | 2015-03-11 | 广州日滨科技发展有限公司 | Method and system for encrypting, decrypting and transmitting data |
| EP2940920A2 (en) * | 2014-04-28 | 2015-11-04 | Nxp B.V. | Security patch without changing the key |
-
2016
- 2016-12-06 CN CN201611107935.5A patent/CN106656463A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050182735A1 (en) * | 2004-02-12 | 2005-08-18 | Zager Robert P. | Method and apparatus for implementing a micropayment system to control e-mail spam |
| CN101902664A (en) * | 2009-05-26 | 2010-12-01 | 中兴通讯股份有限公司 | Method and system for improving encryption/decryption speed of passive optical network |
| CN103716157A (en) * | 2013-12-13 | 2014-04-09 | 厦门市美亚柏科信息股份有限公司 | Grouped multiple-key encryption method and grouped multiple-key encryption device |
| EP2940920A2 (en) * | 2014-04-28 | 2015-11-04 | Nxp B.V. | Security patch without changing the key |
| CN104410616A (en) * | 2014-11-20 | 2015-03-11 | 广州日滨科技发展有限公司 | Method and system for encrypting, decrypting and transmitting data |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107276741A (en) * | 2017-06-06 | 2017-10-20 | 北京洋浦伟业科技发展有限公司 | Air state concealed-enciphering guard method and device |
| CN107809313A (en) * | 2017-10-31 | 2018-03-16 | 北京三未信安科技发展有限公司 | A kind of whitepack crypto-operation method and system |
| US11502817B2 (en) | 2020-02-12 | 2022-11-15 | Wipro Limited | Enhanced data security system and method thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2228942B1 (en) | Securing communications sent by a first user to a second user | |
| CN109274503A (en) | Distributed collaboration endorsement method and distributed collaboration signature apparatus, soft shield system | |
| CN104158827B (en) | Ciphertext data sharing method, device, inquiry server and upload data client | |
| CN106650482A (en) | Electronic file encryption method and device, electronic file decryption method and device and electronic file encryption and decryption system | |
| CN101529791A (en) | A method and apparatus to provide authentication and privacy with low complexity devices | |
| CN109800588B (en) | Dynamic bar code encryption method and device and dynamic bar code decryption method and device | |
| CN109067528A (en) | Crypto-operation, method, cryptographic service platform and the equipment for creating working key | |
| CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
| CN107172056A (en) | A kind of channel safety determines method, device, system, client and server | |
| US20070055893A1 (en) | Method and system for providing data field encryption and storage | |
| CN108809633A (en) | A kind of identity authentication method, apparatus and system | |
| CN106789963A (en) | Asymmetric whitepack cipher encrypting method and device and equipment | |
| CN107690079A (en) | Privacy of user guard method in live platform | |
| CN106656463A (en) | Fixed-secret-key symmetric white box password encryption method, device and equipment | |
| CN110365472B (en) | Quantum communication service station digital signature method and system based on asymmetric key pool pair | |
| CN111008400A (en) | Data processing method, device and system | |
| CN104253692B (en) | Key management method and device based on SE | |
| CN106257859A (en) | A kind of password using method | |
| US10764260B2 (en) | Distributed processing of a product on the basis of centrally encrypted stored data | |
| CN107493281A (en) | encryption communication method and device | |
| KR101929355B1 (en) | Encryption and decryption system using unique serial number and symmetric cryptography | |
| CN106972928B (en) | Bastion machine private key management method, device and system | |
| CN112861156B (en) | Secure communication method and device for display data, electronic equipment and storage medium | |
| US20010009583A1 (en) | Secret key registration method, secret key register, secret key issuing method, cryptographic communication method and cryptographic communication system | |
| US10445510B2 (en) | Data checking apparatus and method using same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100083 Beijing, Haidian District Xueyuan Road 30 days building A 20 floor Applicant after: Beijing Bang Bang Safety Technology Co. Ltd. Address before: 100083 Beijing, Haidian District Xueyuan Road 30 days building A 20 floor Applicant before: Yangpuweiye Technology Limited |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170510 |